The Vendor Behind Your Vendor
Health plans conduct due diligence on the coding vendors they hire. They evaluate methodology, review sample output, check certifications, and negotiate compliance provisions in contracts. What most plans don’t evaluate with the same rigor is who their vendor subcontracts to. Many risk adjustment coding companies, particularly those operating at high volume, subcontract portions of their chart review work to third-party coding firms, often offshore.
The plan’s contract is with the primary vendor. But the coders reviewing the charts may work for a subcontractor the plan has never evaluated, never audited, and never directly governed. The plan’s compliance provisions bind the primary vendor. Whether those provisions flow through to subcontractors depends on the subcontracting agreement, which the plan may not have reviewed or may not have the right to inspect.
This creates a governance blind spot. The plan is liable for every code submitted to CMS regardless of who produced it. If a subcontractor’s coders are undertrained, if they operate without AI-assisted MEAT validation, if they code in one direction only, the plan carries the full regulatory exposure from their work. The DOJ doesn’t distinguish between codes produced by the plan’s direct vendor and codes produced by the vendor’s subcontractor. It cares about what was submitted and whether it’s defensible.
Where Subcontracting Risk Concentrates
Subcontracting risk is highest in three scenarios. First, volume surges. When a vendor takes on more work than its internal team can handle, it subcontracts overflow to meet deadlines. These overflow coders may not have the same training, the same tools, or the same quality standards as the vendor’s core team. The plan sees the same deliverable format, but the quality of the underlying work product varies.
Second, offshore coding. Vendors that subcontract chart review to international coding teams introduce variability in clinical documentation interpretation, MEAT criteria application, and regulatory context understanding. Coders trained in different healthcare systems may apply different documentation standards than U.S.-trained coders familiar with CMS audit expectations.
Third, white-label arrangements. Some vendors resell another company’s coding technology and services under their own brand. The plan thinks it’s working with one vendor but is actually receiving output from a different organization’s platform and workforce. The plan’s due diligence evaluated the sales organization, not the production organization.
Need a Criminal Defense Lawyer? MyLawyer360.com in 2026
Contract Provisions That Close the Gap
Plans should require subcontracting disclosure in every vendor contract. The vendor must identify all third parties involved in producing coding output, including their location, certifications, training standards, and technology. The plan should have the right to audit subcontractor quality directly, not through the primary vendor’s self-reporting.
Flow-through provisions are essential. Every compliance requirement in the primary contract, including two-way coding methodology, MEAT evidence documentation, AI explainability, and audit-ready output, must apply identically to subcontractors. If the primary vendor can’t guarantee that subcontractors meet the same standards, the plan needs to know that before signing, not after an audit finding traces back to subcontractor-produced codes.
Quality segregation is a practical safeguard. The vendor should tag which coders or teams produced each chart review so the plan can monitor quality by source. If subcontractor-produced output shows different accuracy rates, different deletion rates, or different defensibility scores than internally produced output, the plan can intervene before the quality gap becomes an audit gap.
Governing the Full Chain
Risk Adjustment Coding Companies that subcontract without transparency are creating compliance exposure they may not fully disclose to their clients. Plans that don’t ask about subcontracting are accepting risk they can’t quantify. The governance chain must extend from the plan through the primary vendor to every subcontractor whose work contributes to the plan’s CMS submissions. Any break in that chain is a blind spot where quality, methodology, or compliance standards may not apply, and the plan bears full liability for whatever comes out the other side.
